1. Field of the Invention
The present invention relates to authentication methods, to virtual machines and more particularly to the use of resources by virtual machines.
2. Description of the Related Art
Web applications are conventional. A web application is an application that is accessed via a web browser over a network such as the Internet or an intranet. It is also a computer software application that is coded in a browser-supported language, such as HTML, JavaScript, Java, or the like and reliant on a common web browser to make the application executable or to execute it.
Web services are also conventional. A web service is a software system designed to support interoperable machine-to-machine interaction over a network. Web services may take the form of an application programming interface (API) that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services. Many web services are implemented by client computers and server computers that communicate using XML messages according to the SOAP protocol. In some preferred web services systems, there is a machine-readable description of the operations offered by the service. For example, this machine readable description may be written in the Web Services Description Language (WSDL). Web services can be written according to alternative styles including: (i) Remote Procedure Calls; (ii) Service Oriented Architecture; and (iii) Representational State Transfer. Service Oriented Architecture (SOA) is currently preferred. Other web applications are being replaced or supplanted by web services, and especially SOA style web services.
In at least some web services systems, a URL is accessed over a network by the web service without going through a top page. For example, the identity of the URL may be disclosed by Universal Description, Discovery and Integration (UDDI). UDDI is a platform-independent, XML-based registry for businesses worldwide to be listed on the Internet. Unlike web applications, web services may allow access without authentication. Also, the XML typical of web services can express very complex contents within a particular structure, such that a great deal of computer resources are required to parse the data. These resource intensive XML documents may even be small in size, even though they require a lot of resources to be parsed. Sometimes these resource intensive XMLs are sent with the intent to cause damage or harm be consuming system resources to the extent that service from a server is considerably slowed or stopped. This is called a denial of service (DoS) attack. Some DoS attacks are referred to as expanding entity attacks.
There are conventional methods for authenticating XML documents. One method is called WS-Security. These conventional XML authentication methods use information contained within the XML document itself, such as a SAML token. However, because the authentication information is in the XML document, it is not obtained until the XML document is at least partially processed.
Virtual machines are conventional. A virtual machine (VM) is a software implementation of a machine (that is, a computer) that executes programs like a real machine. For example, the Java Virtual Machine (JVM) is a VM that executes programs written in the Java language. In some web servers (herein called “normal web servers”), each request is processed by its own thread. These threads are mechanisms that allow parallel processing to occur. However, in other web servers (herein called “heap web servers”) there is a heap area (or simply “heap”) that is common to all threads. This heap is a memory area shared by all threads that is used when newly creating an object. Heap web servers are implemented in some VM web servers. Specifically and importantly, while a single JVM can operate multiple threads, the JVM web server is a heap web server, which means that all threads of the JVM share its heap area. Some virtual machines, such as JVM, include a function to change CPU priority for each thread, but this protection does not apply to the heap.
Resource intensive XML documents and/or the use of heap areas can lead to many potential problems. It is dangerous to provide memory and/or CPU time for an unreliable request. One potential problem is shutdown of an entire service due to an out of memory condition. One conventional technique for dealing with the foregoing potential problems is memory management for each thread, but this technique has not been, and may never be, widely adopted. For example, the JVM does not include memory management for each thread.
Garbage collection (GC) is conventional. GC is a form of automatic memory management. The garbage collector, or just collector, attempts to reclaim garbage, or memory used by objects that will never be accessed or mutated again by the application. Garbage collection has been used to solve the problems of manual memory management.
U.S. Pat. No. 7,007,091 (“Inada”) discloses a system where a subject name of a personal certificate is used for access control. In the Inada system, an authentication unit performs an authentication procedure between a client terminal and a web server. The authentication unit receives a certificate from the client terminal for executing the authentication procedure, and its subject name is supplied to extract a predetermined extracted element. An access right for accessing a document is determined based on the extracted element. A relation between the session number and the determined access right is registered. Thereafter, while the session continues, an access right is allowed based on the session number.
U.S. Pat. No. 7,028,298 (“Foote”) discloses a method for managing resource usage of a particular resource by a set of related code, such as code executed on behalf of a downloaded applet. A resource indicator is associated with the related code, and the resource indicator indicates an amount of resource usage of the particular resource by the related code. The resource indicator is updated when the related code changes in its collective resource usage of the particular resource. This is a method of performing memory management for each thread. The Foote system is not easily applicable to heap web servers and/or other heap-based architectures because one characteristic of threads is that memory can be shared between threads, it is difficult to completely identify a thread owned by an object in the heap.
Description Of the Related Art Section Disclaimer: To the extent that specific publications are discussed above in this Description of the Related Art Section, these discussions should not be taken as an admission that the discussed publications (for example, published patents) are prior art for patent law purposes. For example, some or all of the discussed publications may not be sufficiently early in time, may not reflect subject matter developed early enough in time and/or may not be sufficiently enabling so as to amount to prior art for patent law purposes. To the extent that specific publications are discussed above in this Description of the Related Art Section, they are all hereby incorporated by reference into this document in their respective entirety(ies).